Enabling gateway-level authentication

A number of default gateway-level authentication settings are included in the gateway. There is a default role of AuthenticatedUsers which includes the special group 'AllAuthenticatedUsers'. When security is enabled, supply a user ID and password to use the gateway administrative interface or invoke a gateway service.

This task covers the three main areas in which you might want to make changes:

• Changing the default gateway-level authentication settings.

• Enabling gateway-level authentication.

• Assigning users and groups to roles.

Note:

• If you want to change the default gateway-level authentication settings, do so before you install any channels. When you run the script that installs the gateway itself (either into a deployment manager cell or into a stand-alone appserver) you also install the following channels:

  • Apache SOAP channel 1.

  • SOAP/HTTP channel 1.
  So if you change the default gateway-level authentication settings after you install the gateway, you then need to re-run the gateway install.

• One can enable gateway-level authentication, and assign users and groups to roles, at any time.

• After gateway-level authentication has been enabled, filters have access to the requester's authentication information.

 

1. To change the default gateway-level authentication settings, use the WebSphere Application Server Application Assembly Tool (AAT) to complete the following steps:

   1. Set up a role and realm for the gateway on WebSphere Application Server's Web server and servlet container.

   2. Define the user ID and password that is used by the gateway to access the role and realm.

   3. Modify the gateway's channel applications so that they only give access to the gateway to service requesters that supply the correct user ID and password for that role and realm.

2. To enable gateway-level authentication, complete the following steps:

   1. Start the WebSphere Application Server administrative server.

   2. Start the administrative console.

   3. In the navigation pane, select Security -> Global Security.

   4. In the main pane, on the Configuration tab, enable the "Enabled" check box.

   5. Save the settings.

   6. Stop then restart the appserver.

   7. Close the administrative console.

3. One can use the AAT or the administrative console to assign users and groups to roles. To map users to roles using the administrative console, complete the following steps:

   1. Start the WebSphere Application Server administrative server.

   2. Start the administrative console.

   3. In the navigation pane, select Application -> Enterprise Applications -> wsgw. In the main pane, an option to map security roles to users and groups appears in the Additional Properties table.

   4. Modify the security roles and save the settings.

   5. Repeat the previous two steps for each enterprise application that you want to modify.

   6. Stop then restart the appserver.

   7. Close the administrative console.

   For more information see Assigning users and groups to roles.

   Note: The current jacl install scripts do not let you assign users to roles as part of installing the gateway into a deployment manager cell or into a stand-alone appserver.

 

What to do next

You might now want to enable operation-level authorization, or install the gateway.

---

Administering security for the Web services gateway
Enabling operation-level authorization
Invoking Web services over HTTPS
Web services gateway troubleshooting tips

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.